diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2007-10-13 12:25:31 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2007-10-13 12:25:31 +0000 |
commit | 4d570f94ba055d75f469aacadfccf0bdffcbae6c (patch) | |
tree | 4c47446850acbd74d7835765c4801f47cb9bee80 | |
parent | 972c5f9e10107650e9fb3544f22ce1e8370e9d80 (diff) | |
download | ffmpeg-4d570f94ba055d75f469aacadfccf0bdffcbae6c.tar.gz |
prevent infinite loop and memcpy of negative amounts
fixes issue194
Originally committed as revision 10726 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/aac_parser.c | 3 | ||||
-rw-r--r-- | libavcodec/ac3_parser.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c index d6cf2693fc..ac806931ec 100644 --- a/libavcodec/aac_parser.c +++ b/libavcodec/aac_parser.c @@ -67,6 +67,9 @@ static int aac_sync(const uint8_t *buf, int *channels, int *sample_rate, skip_bits1(&bits); /* copyright_identification_bit */ skip_bits1(&bits); /* copyright_identification_start */ size = get_bits(&bits, 13); /* aac_frame_length */ + if(size < AAC_HEADER_SIZE) + return 0; + skip_bits(&bits, 11); /* adts_buffer_fullness */ rdb = get_bits(&bits, 2); /* number_of_raw_data_blocks_in_frame */ diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index d97c86e01b..034a0bdf26 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -114,6 +114,9 @@ static int ac3_sync(const uint8_t *buf, int *channels, int *sample_rate, return 0; /* Currently don't support additional streams */ frmsiz = get_bits(&bits, 11) + 1; + if(frmsiz*2 < AC3_HEADER_SIZE) + return 0; + fscod = get_bits(&bits, 2); if (fscod == 3) { fscod2 = get_bits(&bits, 2); |